Kaspersky DDoS Intelligence Report for Q2 2016

Q2 events

DDoS attacks on cryptocurrency wallet services have played an important role in the lives of these services. In the second quarter of 2016, two companies – CoinWallet and Coinkite – announced they were terminating their work due to lengthy DDoS attacks. According to Coinkite’s official blog, the e-wallet service will be shut down, as well as its API. The company admits that the decision was largely due to constant attacks and pressure from various governments who want to regulate cryptocurrency.

A piece of malware was detected that possesses worm functionality and builds a botnet of Linux-based routers (including Wi-Fi access points). It spreads via Telnet. An analysis of the worm’s code has shown that it can be used in various types of DDoS attacks.

Experts have registered a growing number of botnet C&C servers operating based on LizardStresser – a tool used to perform DDoS attacks. The LizardStresser source codes belong to the hacker group Lizard Squad and were made publically available at the end of 2015. This is what led to the increase in the number of botnets using new versions of the tool.

Researchers discovered a botnet consisting of 25 000 devices most of which are surveillance cameras. According to the experts, 46% of the infected devices are CCTV systems H.264 DVR. The other compromised devices were manufactured by ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and MagTec CCTV.

A new botnet named Jaku located mainly in Japan and South Korea was detected. Researchers have stated that the botnet operators are focused on major targets: engineering companies, international organizations, scientific institutions.

A new modification of Cerber ransomware that uses an infected device to carry out DDoS attacks was discovered. This cryptor Trojan is responsible for sending the UDP packets in which it changes the sender address for the address of the victim. A host that receives the packet sends a reply to the victim’s address. This technique is used to organize a UDP flood, meaning that this Trojan, in addition to its basic ransomware functionality, also integrates the functionality of a DDoS bot.

Statistics for botnet-assisted DDoS attacks

Methodology

Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.

Resources in 70 countries were targeted by DDoS attacks in Q2 2016 #KLReport

The DDoS Intelligence system (part of Kaspersky DDoS Protection ) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

This report contains the DDoS Intelligence statistics for the second quarter of 2016.

In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

77.4% of targeted resources in Q2 2016 were located in China #KLReport

It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q2 Summary

Resources in 70 countries were targeted by DDoS attacks in Q2 2016.

77.4% of targeted resources were located in China.

China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets.

SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter.

In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter.

Geography of attacks

In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks. In fact, 97.3% of the targeted resources were located in just 10 countries. The three most targeted countries remained unchanged – China, South Korea and the US.

Distribution of DDoS attacks by country, Q1 2016 vs. Q2 2016

This quarter’s statistics show that 94.3% of attacks had unique targets within the 10 most targeted countries.

Here too China was the leader: 71.3% of all DDoS attacks targeted unique resources located in the country (vs. 49.7% in Q1).

In Q2 2016 China, South Korea and the US remained leaders in terms of the number of DDoS attacks #KLReport

The growth in the proportion of attacks on Chinese resources resulted in a decline in the share of attacks on resources in the other TOP 10 countries: South Korea saw its share fall by 15.5 percentage points, while the contribution of the US fell by 0.7 p.p.

Russia left the TOP 5 after its share decreased by 1.3 p.p. Vietnam took Russia’s place after its share remained unchanged (1.1%). Germany and Canada both left the TOP 10 and were replaced by France and the Netherlands on 0.9% and 0.5% respectively.

Changes in DDoS attack numbers

DDoS activity was relatively uneven in Q2 2016, with a lull from late April till the end of May and two sharp peaks on 29 May and 2 June. The peak number of attacks in one day was 1,676, recorded on 6 June.

Number of DDoS attacks over time* in Q2 2016

*DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.

An analysis of the data for the first half of 2016 shows that although the distribution of DDoS attack numbers by day of the week remains uneven, a steady upward trend is evident.

Number of DDoS attacks, Q1 2016 – Q2 2016

In Q2, Tuesday was the most active day of the week for DDoS attacks (15.2% of attacks), followed by Monday (15.0%). Thursday, which came second in Q1, fell one place (-1.4 p.p.). Sunday became the quietest day of the week in terms of DDoS attacks (13.0%).

Distribution of DDoS attack numbers by day of the week

Types and duration of DDoS attacks

The ranking of the most popular attack methods remained unchanged from the previous quarter. The SYN DDoS method has further strengthened its position as leader: its share increased from 54.9% to 76%. The proportion of the other types of attacks decreased slightly except for UDP DDoS whose contribution grew by 0.7 p.p. However, those little fluctuations did not affect the order of the Top 5.

Distribution of DDoS attacks by type

The growth in the popularity of SYN-DDoS is largely down to the fact that during the second quarter of 2016, 70.2% of all detected attacks came from Linux botnets. This was the first time in a number of quarters that there has been such an imbalance between the activity of Linux- and Windows-based DDoS bots. Previously, the difference had not exceeded 10 percentage points. Namely Linux bots are the most appropriate tool for using SYN-DDoS.

Correlation between attacks launched from Windows and Linux botnets

Attacks that last no more than four hours remained the most popular, although their share decreased from 67.8% in Q1 to 59.8% in Q2 of 2016. At the same time, the proportion of longer attacks increased considerably – attacks that lasted 20-49 hours accounted for 8.6% (vs. 3.9% in the first quarter) and those that lasted 50-99 hours accounted for 4% (vs. 0.8% in the previous quarter).

The longest DDoS attack in the second quarter of 2016 lasted for 291 hours, which significantly exceeded the Q1 maximum of 197 hours.

Distribution of DDoS attacks by duration (hours)

C&C servers and botnet types

In Q2, South Korea remained the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 69.6%, a 2 p.p. increase from the first quarter of 2016. The TOP 3 countries hosting the most C&C servers (84.8%) remained unchanged, while Brazil (2.3%), Italy (1%) and Israel (1%) all entered the TOP 10.

Distribution of botnet C&C servers by country in Q2 2016

As in previous quarters, 99.5% of DDoS targets in Q2 2016 were attacked by bots belonging to one family. Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.5% of cases. The most popular families of the quarter were Xor, Yoyo and Nitol.

Conclusion

The second quarter of 2016 saw cybercriminals paying close attention to financial institutions working with cryptocurrency. Several of these organizations cited DDoS attacks as the reason for ceasing their activities. Intense competition leads to the use of unfair methods, one of which is the use of DDoS attacks. A strong interest on the part of the attackers is due to a particular feature of the businesses involved in processing cryptocurrency – not everyone is happy about the lack of regulation when it comes to cryptocurrency turnover.

In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets #KLReport

Another trend is the use of vulnerable IoT devices in botnets to launch DDoS attacks. In one of ourearlier reports, we wrote about the emergence of a botnet consisting of CCTV cameras; the second quarter of 2016 saw a certain amount of interest in these devices among botnet organizers. It is possible that by the end of this year the world will have heard about some even more “exotic” botnets, including vulnerable IoT devices.